Fix use-after-free bug in long press selection

Source/core/input/EventHandler.cpp

Index: Source/core/input/EventHandler.cpp
diff --git a/Source/core/input/EventHandler.cpp b/Source/core/input/EventHandler.cpp
index 006aa2c40a9b7a45bfea777b122a31c3acd2a0e9..e869308b11cf8dc9dd93b3a1a5d3f02d57519328 100644
--- a/Source/core/input/EventHandler.cpp
+++ b/Source/core/input/EventHandler.cpp
@@ -2126,6 +2126,7 @@ bool EventHandler::handleGestureLongPress(const GestureEventWithHitTestResults&
 
     IntPoint hitTestPoint = m_frame->view()->rootFrameToContents(gestureEvent.position());
     HitTestResult result = hitTestResultAtPoint(hitTestPoint);
+    RefPtrWillBeRawPtr<FrameView> protector(m_frame->view());
     if (selectionController().handleGestureLongPress(gestureEvent, result)) {
         focusDocumentView();
         return true;
@@ -2785,7 +2786,7 @@ bool EventHandler::sendContextMenuEventForKey(Element* overrideTargetElement)
     // The contextmenu event is a mouse event even when invoked using the keyboard.
     // This is required for web compatibility.
     PlatformEvent::Type eventType = PlatformEvent::MousePressed;
-    if (m_frame->settings()->showContextMenuOnMouseUp())
+    if (m_frame->settings() && m_frame->settings()->showContextMenuOnMouseUp())

[yosin_UTC9, 2015/08/31 02:11:13]

Does this change relate to crbug/519905?
It is better to have another CL for this guard.

[majidvp, 2015/08/31 18:06:25]

It is necessary to fix the bug.

[yosin_UTC9, 2015/09/01 01:33:28]

Please this describe this in description explicitly.
Current description doesn't tell us relationship between
this change and |m_frame->view()| protection.

BTW, when |m_frame->settings()| is |nullptr|, |m_frame| is
detached, e.g. after |Frame::detach()|. So, we may not want
to process an event for detached frame. If we check detached
frame by another way, we don't need to check null for settings.
Anyway, this is another topic.

[majidvp, 2015/09/01 15:33:53]

Updated the description to make it clear. 

The test does detach the frame in the process of handling the longpress
selection. I agree that an alternative solution is to stop handling the 
event when the frame gets detached. That requires checking
for detached frame after any call that may run script in this case
|FrameSelection::selectFrameElementInParentIfFullySelected()|.

I choose the current solution mainly because it is similar to other places
in EventHandler where we protect frameview to avoid its destruction 
while event is being processed.

         eventType = PlatformEvent::MouseReleased;
 
     PlatformMouseEvent mouseEvent(locationInRootFrame, globalPosition, RightButton, eventType, 1, false, false, false, false, PlatformMouseEvent::RealOrIndistinguishable, WTF::currentTime());
@@ -2808,7 +2809,7 @@ bool EventHandler::sendContextMenuEventForGesture(const GestureEventWithHitTestR
 
     PlatformEvent::Type eventType = PlatformEvent::MousePressed;
 
-    if (m_frame->settings()->showContextMenuOnMouseUp())
+    if (m_frame->settings() && m_frame->settings()->showContextMenuOnMouseUp())

[yosin_UTC9, 2015/08/31 02:11:13]

Does this change relate to crbug/519905?
It is better to have another CL for this guard.

[majidvp, 2015/08/31 18:06:25]

Ditto.

         eventType = PlatformEvent::MouseReleased;
     else
         modifiers |= PlatformEvent::RightButtonDown;